Entrust SSL Certificates - Error Message Regarding Invalid Certificate

WHAT'S HAPPENING:

Some individuals who recently installed Entrust SSL certificates received error messages stating the certificate was not valid or was signed by an unknown authority.

WHO'S AFFECTED:

Anyone with certificates that have an expiration date beyond 31 December 2010.

WHAT YOU NEED TO DO:

In order to deploy your SSL certificate, you will need to install an L1B Chain Certificate to the 2048 Root.

• You will automatically receive an email from Entrust Certificate Services that contains a link to your certificates on the Entrust web site. This site will contain your SSL Certificate(s) and a chain certificate called the Entrust L1B Chain Certificate. 
• Entrust provides information on how to install their Chain Certificates for the various web servers (see special note below). 
• The Chain Certificate only needs to be installed on the server that the SSL certificate is installed on. This will allow the end user software to follow the certification path directly to the Root.

ADDITIONAL INFORMATION:

The US National Institute of Standards and Technology (NIST) issued NIST Special Publication 800-57, Recommendation for Key Management which advises that 1024-bit RSA keys will no longer be viable after 2010. Based on the NIST recommendations, the CAB Forum and Microsoft have implemented requirements to move from 1024-bit to 2048-bit RSA.

In order to comply with NIST, the CA/Browser (CAB) Forum and Microsoft, Entrust has taken the following steps:

• Deployed a new root called 'Entrust.net Certification Authority (2048)' which has a 2048-bit RSA key; 
• Deployed a Subordinate CA (L1B) that will be used in conjunction with the 2048 Root to increase the security of both the Root and the end entity server certificates; 
• Begun the transition to signing their SSL certificates from the L1B Subordinate CA.

SPECIAL NOTE:

Andrew Philipoff, Department of Medicine's Infrastructure Coordinator, found Entrust's instructions for RHEL/CentOS/Fedora to be less than accurate and has offered to provide additional information based on his experience.

Therefore, if anyone at UCSF using RHEL/CentOS/Fedora should feel free to contact him for detailed info on how to install the Entrust Chain Certificate.

Andrew Philipoff
Phone 415-476-1344
aphilipoff@medicine.ucsf.edu

On behalf of OAAIS EIS, I would like to thank Andrew Philipoff for his assistance to date, and his further offer to assist others with this matter.

If you have questions about any of the information provided above, you may send email inquiries to security@ucsf.edu.

Teresa A. Regalia, GCIH
UCSF Enterprise Information Security
Telephone: 415-502-1567
Teresa.Regalia@ucsf.edu

OAAIS Customer Support Service Desk 7 a.m. - 6 p.m., Mon - Fri
(415) 514-4100, Option 2
CustomerSupport@ucsf.edu 
http://help.ucsf.edu

RESOURCES:

• Entrust Certificate Services Support Knowledge Base - TN7710
  http://www.entrust.net/knowledge-base/technote.cfm?tn=7710

• NIST - Recommendation for Key Management
  http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf

• CA/Browser Forum
  http://www.cabforum.org/# <http://www.cabforum.org/> 

Please tell us what you think of our website

The University of California, San Francisco, CA 94143, 415/476-9000
Copyright © 2010, The Regents of the University of California.